The Heartbleed bug is thought to have affected two thirds of web servers
worldwide. What action should you take to protect yourself?

A web encryption flaw known as the 'Heartbleed' bug has made headlines this week, after it emerged that attackers could exploit the flaw to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.

Heartbleed is thought to be one of the most serious security flaws ever found, partly because it remained undiscovered for more than two years. Experts estimate that around two-thirds of the world's web servers run the software that contains the flaw, known as OpenSSL, meaning they are vulnerable to attack until a security patch is installed.

The security researchers who discovered the bug have advised people to change all of their passwords. However, other security experts are advising consumers to wait, warning that if users change passwords while sites are still vulnerable, their new passwords will be exposed too.

They recommend that, before making any changes, users should check a site for an announcement that it has dealt with the issue. Alternatively, they can find out if a site is still vulnerable by copying and pasting the URL into this website.

The list of potentially affected sites is very long, so The Telegraph has compiled a list of the most popular social media, search, email, banking and retail sites, with the latest information on whether or not the flaw has been fixed:

Was it affected? YesHas it been patched? YesDo you need to change your password? YesWhat they said: "We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed, and we’re continuing to monitor the situation closely."

Twitter

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability."

LinkedIn

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "We didn't use the offending implementation of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, Heartbleed does not present a risk to these web properties."

Pinterest

Was it affected? YesHas it been patched? YesDo you need to change your password? YesWhat they said: "This week we took steps with many other websites affected by Heartbleed in acting quickly to secure accounts. We fixed the issue on Pinterest.com, and didn’t find any evidence of mischief. To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords.

Tumblr

Was it affected? YesHas it been patched? Yes Do you need to change your password? Yes What they said: "We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue."

Google

Was it affected? YesHas it been patched? Yes Do you need to change your password? Yes What they said: "We've assessed the SSL vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps and App Engine. Google Chrome and Chrome OS are not affected."

Yahoo

Was it affected? YesHas it been patched? Partly Do you need to change your password? Yes What they said: "Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now."

Apple

Was it affected? NoHas it been patched? NoDo you need to change your password? NoWhat they said: "Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected."

AOL

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "We were not running the vulnerable version of OpenSSL."

Hotmail/Outlook

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "Microsoft services were not running OpenSSL"

Amazon

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "Amazon.com is not affected."

Asos

Was Asos affected? NoHas it been patched? NoDo you need to change your password? NoWhat they said: "Customers do not need to change their passwords but if they use the same password on sites that are affected then they should take sensible precautions."

eBay

Was it affected? UnknownHas it been patched? Unknown Do you need to change your password? Unknown What they said: "eBay is aware of the security vulnerability identified in a version of Open SSL, also known as the Heartbleed Bug. The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace."

PayPal

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "Your PayPal account is secure; Your PayPal account details were not exposed in the past and remain secure; You do not need to take any additional action to safeguard your information."

HSBC

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "We are aware of the OpenSSL Heartbleed bug, and have been investigating this issue across HSBC systems globally. We have not found any HSBC systems that are affected but we continue to review and monitor the situation closely."

Lloyds TSB

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "Our online banking systems are not exposed to this vulnerability. As such customers are advised that there is currently no need for them to take any action with regards to changing Lloyds Banking Group passwords."

RBS/Natwest

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "We continually monitor the security of our sites and take all actions to protect them. Due to the way our customer websites are provided we are not exposed to this vulnerability."

Barclays

Was it affected? NoHas it been patched? NoDo you need to change your password? NoWhat they said: “We take all potential vulnerabilities seriously. We constantly review all of the global technology platforms Barclays operates to ensure our customers and clients are protected.”

Co-Op Bank

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: "We have checked all our systems and none are at risk."

Gov.uk

Was it affected? NoHas it been patched? No Do you need to change your password? No What they said: “Gov.uk is not vulnerable to the Heartbleed issue. People should take advice on changing passwords from the websites they use. Most websites have corrected the bug and are best placed to advise what action, if any, people need to take.”

Dropbox

Was it affected? YesHas it been patched? Yes Do you need to change your password? Yes What they said: "We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe."

Netflix

Was it affected? UnknownHas it been patched? Unknown Do you need to change your password? Unknown What they said: "Like many companies, we took immediate action to assess the vulnerability and address it. We are not aware of any customer impact."

OKCupid

Was it affected? YesHas it been patched? Yes Do you need to change your password? Yes What they said: "We, like most of the Internet, were stunned that such a serious bug has existed for so long and was so widespread."

Match.com

Was it affected? NoHas it been patched? NoDo you need to change your password? NoWhat they said: "Match.com services do not run on the vulnerable version of OpenSSL, therefore our members have not been affected."

----------

Advice from the Institution of Engineering and Technology (IET) to combat the Heartbleed bug:

1. Change your passwords – but only after the affected website operators and ISP, have implemented the patch to fix the bug. Changing your password before the bug is fixed could compromise your new password.